The Apple 2FA Lawsuit That Could Alter Endpoint Security

A 2019 class action lawsuit against Apple claims setting up and using two-factor authentication (2FA) is causing Apple customers harm—in many ways—including the loss of time.

Why InfoSec should actually watch this case

And while the case has lead to some funny headlines and a whole lot of snickering, there is an interesting legal question being tested here, and cybersecurity leaders and companies should keep an eye on it.

Apple two-factor authentication lawsuit: the crux for InfoSec

This case reminds us of the debate that took place when seat belt laws were being passed across North America a few decades ago.

The question then: Does anyone (even the state) have the right to tell me how to secure myself in my personal vehicle?

The crux of this lawsuit against Apple's 2FA policies is this: Does a company I pay for services or products have the ability to require me to secure my device, or endpoint, in a certain way?

And if I don't respond appropriately, can they deny me access to that device or those services?

Key accusations in Apple two-factor authentication lawsuit

Apple now requires 2FA when a software update occurs on an Apple device or upon the creation of a new Apple ID.

And the plaintiff in this case, Jay Brodsky, is claiming this is worth suing over for a variety of reasons.

"Apple has knowingly and intentionally and withoutauthorization interfered with Plaintiff and Class Members’ possessory interest of their one or more Apple devices by requiring an extraneous login process through two-factor authentication that is imposed on Plaintiff and Class Members without authorization or consent."

The translation is that Apple is trying to force cybersecurity on its users, which allegedly interferes with the ability to use a device as the customer sees fit.

Apple 2FA lawsuit, point #2: Apple is "hurting me by wasting my time"

"As a result of Apple’s coercive policies with regards to security of Plaintiff owned devices, Plaintiff and millions of similarly situated consumers across the nation have been and continue to suffer harm. Plaintiff and Class Members have suffered economic losses in terms of the interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in."

The lawsuit claims each use of 2FA costs customers 2-5 minutes of lost time, and that Apple will lock out customers who refuse to follow the company's 2FA rules, which is unfair.

What the Apple 2FA lawsuit is asking for

The plaintiff is asking for Apple to be barred from forcing its customers to use two-factor authentication, and asking for money to cover the loss of time from using 2FA and from getting locked out when you refuse to use it.